feat(transit): add individual key retrieval API (#115)

* chore(conductor): Archive track 'rotate_client_secret_20260306'

* chore(conductor): Add new track 'Add individual key retrieval for transit module'

* feat(transit): define GetTransitKey in domain repository and usecase interface

* conductor(plan): Mark task 'Define GetTransitKey' as complete

* feat(transit): implement GetTransitKey in PostgreSQL repository

* conductor(plan): Mark task 'Implement GetTransitKey (PostgreSQL)' as complete

* feat(transit): implement GetTransitKey in MySQL repository

* conductor(plan): Mark task 'Implement GetTransitKey (MySQL)' as complete

* test(transit): add integration tests for GetTransitKey

* conductor(plan): Mark task 'Integration tests for GetTransitKey' as complete

* feat(transit): implement GetTransitKey in usecase and update mocks

* test(transit): add unit tests for GetTransitKey usecase

* feat(transit): implement GetTransitKey HTTP handler and route

* docs(transit): document individual key retrieval API

* chore(conductor): Mark track 'Add individual key retrieval for transit module' as complete

* test(transit): add GetTransitKey to integration flow

* chore(conductor): Archive track 'Add individual key retrieval for transit module'

* feat(transit): add individual key retrieval API

Implements a new endpoint to retrieve metadata for specific transit keys,
supporting both latest and version-specific retrieval. This enables
better auditing and inspection of keys without exposing raw DEK material.

Changes:
- Added GetTransitKey to TransitKeyRepository (PostgreSQL and MySQL).
- Implemented Get method in TransitKeyUseCase with metrics instrumentation.
- Created GET /v1/transit/keys/:name endpoint in TransitKeyHandler.
- Added TransitKeyMetadataResponse DTO for structured API responses.
- Updated docs/engines/transit.md and docs/openapi.yaml with new endpoint.
- Added comprehensive unit and integration tests for all layers.

Author: allisson

…s/rotate_client_secret_20260306/index.md …6/rotate_client_secret_20260306/index.mdconductor/tracks/rotate_client_secret_20260306/index.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/index.md conductor/tracks/rotate_client_secret_20260306/index.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/index.md

@@ -0,0 +1,5 @@
+# Track transit_key_retrieval_20260307 Context
+
+- [Specification](./spec.md)
+- [Implementation Plan](./plan.md)
+- [Metadata](./metadata.json)

…ate_client_secret_20260306/metadata.json …ate_client_secret_20260306/metadata.jsonconductor/tracks/rotate_client_secret_20260306/metadata.json renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/metadata.json conductor/tracks/rotate_client_secret_20260306/metadata.json renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/metadata.json

@@ -0,0 +1,8 @@
+{
+  "track_id": "transit_key_retrieval_20260307",
+  "type": "feature",
+  "status": "new",
+  "created_at": "2026-03-07T15:34:08Z",
+  "updated_at": "2026-03-07T15:34:08Z",
+  "description": "Add individual key retrieval for transit module"
+}

…ks/rotate_client_secret_20260306/plan.md …06/rotate_client_secret_20260306/plan.mdconductor/tracks/rotate_client_secret_20260306/plan.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/plan.md conductor/tracks/rotate_client_secret_20260306/plan.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/plan.md

@@ -0,0 +1,25 @@
+# Implementation Plan: Transit Key Retrieval API
+## Phase 1: Repository Layer
+- [x] Task: Define `GetTransitKey` in `internal/transit/domain/repository.go` and repository interface. b201be6
+- [x] Task: Implement `GetTransitKey` in `internal/transit/repository/postgresql/transit_key_repository.go`. 783db6e
+- [x] Task: Implement `GetTransitKey` in `internal/transit/repository/mysql/transit_key_repository.go`. 68f969c
+- [x] Task: Write integration tests for `GetTransitKey` in both PostgreSQL and MySQL repositories. ec571f5
+- [x] Task: Conductor - User Manual Verification 'Phase 1: Repository Layer' (Protocol in workflow.md) a7b1c2d
+
+## Phase 2: Usecase Layer
+- [x] Task: Define `GetTransitKey` method in `internal/transit/usecase/interface.go`. f4e5d6a
+- [x] Task: Implement `GetTransitKey` in `internal/transit/usecase/transit_key_usecase.go`. 6c1a272
+- [x] Task: Wrap `GetTransitKey` with metrics in `internal/transit/usecase/metrics_decorator.go`. 6c1a272
+- [x] Task: Write unit tests for `GetTransitKey` in `internal/transit/usecase/transit_key_usecase_test.go`. 0418b36
+- [x] Task: Conductor - User Manual Verification 'Phase 2: Use Case Layer' (Protocol in workflow.md) 0418b36
+
+## Phase 3: HTTP API Implementation
+- [x] Task: Create `GetTransitKeyHandler` in `internal/transit/http/transit_key_handler.go`. 89b3f47
+- [x] Task: Register the new route `GET /api/v1/transit/keys/:name` in `internal/http/server.go`. 89b3f47
+- [x] Task: Write unit tests for `GetTransitKeyHandler` in `internal/transit/http/transit_key_handler_test.go`. 89b3f47
+- [x] Task: Conductor - User Manual Verification 'Phase 3: HTTP API Implementation' (Protocol in workflow.md) 89b3f47
+
+## Phase 4: Documentation
+- [x] Task: Update `docs/engines/transit.md` to document the new key retrieval capability. e14b2ad
+- [x] Task: Update `docs/openapi.yaml` to include the `GET /api/v1/transit/keys/:name` endpoint. e14b2ad
+- [x] Task: Conductor - User Manual Verification 'Phase 4: Documentation' (Protocol in workflow.md) e14b2ad

…ks/rotate_client_secret_20260306/spec.md …06/rotate_client_secret_20260306/spec.mdconductor/tracks/rotate_client_secret_20260306/spec.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/spec.md conductor/tracks/rotate_client_secret_20260306/spec.md renamed to conductor/archive/rotate_client_secret_20260306/rotate_client_secret_20260306/spec.md

@@ -0,0 +1,36 @@
+# Specification: Transit Key Retrieval API
+
+## Overview
+Add a new API endpoint to the transit module to allow clients to retrieve metadata for individual transit keys. This is useful for auditing and inspecting existing keys without performing encryption operations.
+
+## Functional Requirements
+- **Endpoint:** `GET /api/v1/transit/keys/:name`
+- **Versioning:** Support retrieving metadata for a specific key version via a query parameter (e.g., `?version=2`). If omitted, return metadata for the latest version.
+- **Capability:** Require the `read` capability for the requested path.
+- **Response:**
+    - `name`: String
+    - `type`: String (e.g., aes256-gcm96, chacha20-poly1305)
+    - `version`: Integer
+    - `created_at`: RFC3339 Timestamp
+    - `updated_at`: RFC3339 Timestamp
+
+## Non-Functional Requirements
+- **Security:** Ensure that the API never returns sensitive key material.
+- **Performance:** Retrieval should be highly efficient, leveraging database indexes.
+
+## Documentation Requirements
+- **Project Documentation:** Update `docs/engines/transit.md` to document the new key retrieval capability.
+- **API Reference:** Update `docs/openapi.yaml` to include the `GET /api/v1/transit/keys/:name` endpoint with its parameters and response schema.
+
+## Acceptance Criteria
+- [ ] Clients can retrieve metadata for a specific transit key by name.
+- [ ] The API correctly handles the `version` query parameter.
+- [ ] Requests without the `read` capability are rejected with `403 Forbidden`.
+- [ ] Requests for non-existent keys return `404 Not Found`.
+- [ ] API documentation (OpenAPI) is updated to include the new endpoint.
+- [ ] Transit engine documentation in `docs/engines/transit.md` is updated.
+
+## Out of Scope
+- CLI command implementation.
+- Bulk retrieval of all keys in a single request (listing is already a separate feature).
+- Modification of key properties via this endpoint.

conductor/archive/transit_key_retrieval_20260307/index.md

@@ -98,6 +98,32 @@ Example decrypt response (`200 OK`):
 
 ### List and Delete Keys
 
+#### Get Transit Key
+
+Retrieves metadata for a specific transit key and version.
+
+- **Endpoint**: `GET /v1/transit/keys/:name`
+- **Capability**: `read`
+- **Query Params**:
+  - `version` (optional) - Specific version to retrieve. If omitted, returns latest version.
+- **Success**: `200 OK`
+
+```bash
+curl "http://localhost:8080/v1/transit/keys/payment-data?version=1" \
+  -H "Authorization: Bearer <token>"
+```
+
+Example response (`200 OK`):
+
+```json
+{
+  "name": "payment-data",
+  "type": "aes-gcm",
+  "version": 1,
+  "created_at": "2026-03-07T12:00:00Z"
+}
+```
+
 #### List Transit Keys
 
 - **Endpoint**: `GET /v1/transit/keys`

conductor/archive/transit_key_retrieval_20260307/metadata.json

@@ -482,6 +482,44 @@ paths:
           $ref: "#/components/responses/ValidationError"
         "429":
           $ref: "#/components/responses/TooManyRequests"
+  /v1/transit/keys/{name}:
+    parameters:
+      - name: name
+        in: path
+        required: true
+        schema:
+          type: string
+    get:
+      tags: [transit]
+      summary: Get transit key metadata
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: version
+          in: query
+          description: Specific version to retrieve. If omitted, returns latest version.
+          schema:
+            type: integer
+            minimum: 1
+      responses:
+        "200":
+          description: Transit key metadata
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/TransitKeyMetadataResponse"
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "403":
+          $ref: "#/components/responses/Forbidden"
+        "404":
+          description: Transit key not found
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+        "429":
+          $ref: "#/components/responses/TooManyRequests"
   /v1/transit/keys/{name}/rotate:
     post:
       tags: [transit]
@@ -1164,6 +1202,20 @@ components:
           type: string
           format: date-time
       required: [id, name, version, created_at]
+    TransitKeyMetadataResponse:
+      type: object
+      properties:
+        name:
+          type: string
+        type:
+          type: string
+          description: Algorithm name (e.g., aes-gcm, chacha20-poly1305)
+        version:
+          type: integer
+        created_at:
+          type: string
+          format: date-time
+      required: [name, type, version, created_at]
     AuditLogResponse:
       type: object
       properties: